Exploring SIEM solutions and their security benefits
What is SIEM?
A Security Information & Event Management (SIEM) solution combines two security management operation strategies to provide businesses with a comprehensive view of both past and current security activity within their infrastructure.
The two security management strategies employed in a SIEM are:
- Security information management: Referring to the collection and collation of log data from key business systems and security tools, thus enabling in-depth historical analysis of the data to identify anomalies which could indicate the presence of threat actors inside the perimeter.
- Security event management: Enabling real-time notification of security events (based on use case scenarios) which span events across multiple data sources and combine them to unearth otherwise seemingly innocuous activity.
This powerful combination of these data analytics approaches provided through a single interface is one of the key techniques employed by the NCC Group Security Operations Center (SOC) to protect our customers’ IT environments from the ever-increasing onslaught of cyber security threats.
The big picture of security
At the heart of any SIEM offering is the ability to collect large amounts of data in various formats from different systems and transform (or normalise) it into a common structure. This enables a holistic view of all security activity in the IT environment and makes it possible to identify anomalies which need further investigation.
Collating data from various systems containing data of interest to security in a business IT environment (e.g. Active Directory, firewalls, intrusion detection systems, network traffic monitors etc) allows for correlation across the data sources. This means that events from a single source which do not appear harmful in isolation may actually tell a different story when combined and correlated with all related events from other sources.
Getting a return on a SIEM investment
To ensure a SIEM implementation is as effective and successful as possible there are some essential actions that should be taken:
- Analysing data from as many security and business systems that have been identified as key assets and major risks as is feasible in order to meet the success criteria for the project. This approach to risk management will of course need to be balanced against budget constraints. However, the more business critical information that can be input into the SIEM system, the broader the context and the more insightful the output.
- Set up the use cases in line with your businesses processes. This is potentially the most difficult aspect of a SIEM implementation but is vital to its success. The analytics engine needs to be able to spot activity outside of normal usage and to recognise when business critical systems are under threat.
- Have a dedicated team to investigate alerts and continually tune out false positives. There have been a number of high profile security breaches in the media in which the affected business had a SIEM platform but did not have the skilled resource in place to monitor alerts and respond accordingly. Without a continual process of tuning out false positives and false negatives there is a risk that serious threats go unnoticed in a sea of alerts.
NCC Group has been implementing and managing SIEM services for over a decade, building a vast pool of expertise and developing our own implementation methodology to ensure customers get the maximum benefit from the service as quickly as possible.
The human element
The NCC Group Managed SIEM service makes full use of the available historical data by including a regular proactive investigation to assess if there is any evidence of suspicious activity. This threat hunting exercise is carried out by highly experienced SOC analysts who are able to spot anomalies that automated tools would not necessarily detect.
The human element is a vital component in delivering the managed service, complementing the advanced SIEM technology and extensive utilisation of data sets. This human input is increasingly important as threat actors are continually developing new tactics and techniques to evade tools that rely on known patterns of behavior to generate alerts.
Threat hunting can also be used to supplement risk analysis activities. We recently undertook this exercise for a customer and identified a large number of unpatched host machines which were still vulnerable to the EternalBlue SMB exploit, most notably known as the propagation method for the WannaCry ransomware outbreak. The SIEM systems used by NCC Group have the capability to create dashboards against identified vulnerabilities such as these so that the customer can view their status in real-time and get an accurate assessment of the current risk profile.
NCC Group Managed SIEM
Our Managed SIEM service is monitored and managed by a team of analysts in our 24/7 SOC, and as we offer a comprehensive service level agreement you can be assured that we are doing our utmost to guarantee the safety of your business critical systems and data.
NCC Group are vendor independent and provide solutions using Splunk, LogRhythm and ArcSight technologies. To help implement these solutions we have hugely experienced professional services teams that have delivered monitoring solutions for various requirements, such as:
- Assessing compliance for key regulatory requirements including PCI and GPG13
- Identifying abnormal business process activity which indicate fraud attempts
- Detecting abnormal user behaviour to alert against insider threats
- Model use cases to recognise advanced persistent threat techniques and reduce the impact and risk of contagion
Our team of experts are available for any SIEM support you require, offering end-to-end service with tried and tested engagement, delivery and in-life activity approaches. To find out more and to discuss the scope of your organisation’s requirements, get in touch via your account manager or email us on email@example.com.
Published date:  17 October 2017
Written by:  Dominic Carroll and Josh Clark